Overview
Integration Support for delegated authentication with Shibboleth comes with the new Delegated SAML Authentication library required the Web Proxy Portlet to be updated to httpclient 4.0-beta2. This integration involved significant refactoring of the Web Proxy Portlet's proxying implementation, as well as an update to its state persistence API. All work performed as part of the httpclient upgrade has been contributed to the trunk of the public project (currently available in the Jasig repository at https://www.ja-sig.org/svn/portlets/WebproxyPortlet/trunk).
In order to perform the Shibboleth integration itself, a new subclass of HttpManagerImpl has been created for the University of Chicago. This implementation is capable of constructing a new SAMLSession for the current portlet request and returning an HttpClient instance created by this SAMLSession for any portlet requiring SAML authentication.
While we anticipate eventually open-sourcing the new Shibboleth-enabling HttpManager implementation, this work will not be publicly available until the Delegated SAML library dependency is publicly available.
Modifying and Configuring the Web Proxy Portlet
The Delegated SAML Authentication library must be added as a dependency. To add this dependency, the following should be added as a dependency in the portlet's pom.xml file:from version 1.1.1 on.
Steps for updating the Web Proxy Portlet included with the uPortal EAR package
Step 1 - Updating the Web Proxy Portlet Version
In pom.xml
file and update the WebProxyPortlet.version
line to specify 1.1.1
Code Block | ||||
---|---|---|---|---|
| ||||
<dependency>
<groupId>org.jasig.service</groupId>
<artifactId>delegated-saml-authentication</artifactId>
<version>1.0</version>
<type>jar</type>
<scope>compile</scope>
<exclusions>
<exclusion>
<artifactId>xml-apis</artifactId>
<groupId>xml-apis</groupId>
</exclusion>
</exclusions>
</dependency>
|
The exclusion is meant to avoid getting two different versions of the excluded artifact.
...
<WebProxyPortlet.version>1.1.1</WebProxyPortlet.version>
|
Step 2 - Enabling the Shibboleth Http Manager
Add the file uportal-portlets-overlay/WebProxyPortlet/src/main/webapp/WEB-INF/applicationContextOverrides.xml
with contents:
You'll need to set the spPrivateKey
, spCertificate
, and portalEntityID
properties appropriately for your institution.
Code Block | ||||
---|---|---|---|---|
| ||||
<dependency>
<groupId>nekohtml</groupId>
<artifactId>nekohtml</artifactId>
<version>0.9.5</version>
<type>jar</type>
<scope>compile</scope>
<exclusions>
<exclusion>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
</exclusion>
</exclusions>
</dependency>
|
As with the previous exclusion, this is meant to avoid getting duplicate versions of the same library.
Optionally, you may add the following plugin to allow building of the portlet war file that can be simply dropped into Tomcat's webapps directory instead of using "ant deployPortletApp" method. To add the pluto plugin, couple of additions need to be made to pom.xml as follows:
...
<properties>
<pluto.version>1.1.7</pluto.version> <!-- Add this just before the dependencies section -->
</properties>
<!-- Add the following two plugins to the end of the plugins section -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<webXml>${project.build.directory}/pluto-resources/web.xml</webXml>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.pluto</groupId>
<artifactId>maven-pluto-plugin</artifactId>
<version>${pluto.version}</version>
<executions>
<execution>
<phase>generate-resources</phase>
<goals>
<goal>assemble</goal>
</goals>
</execution>
</executions>
</plugin>
Next, the existing HttpManager bean in the Spring configuration should be updated to use this new implementation with the appropriate Shibboleth-related parameters.
...
<bean id="HttpManagerBean" class="edu.wisc.my.webproxy.beans.http.ShibbolethEnabledHttpManagerImpl" scope="prototype">
</bean>
...
<?xml version="1.0" encoding="UTF-8"?>
<!--
| Override specific bean(s) from applicationContext.xml
+-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
<bean id="HttpManagerBean" class="edu.wisc.my.webproxy.beans.http.ShibbolethEnabledHttpManagerImpl" scope="prototype">
<property name="spPrivateKey" value="/opt/shibboleth-sp/etc/shibboleth/sp-key.pem"/>
<property name="spCertificate" value="/opt/shibboleth-sp/etc/shibboleth/sp-cert.pem"/>
<property name="portalEntityID" value="https://my.example.com/shibboleth"/>
</bean>
</beans>
|
Step 3 - Enable the SAML User Attributes
Copy the portlet.xml file from the release to uportal-portlets-overlay/WebProxyPortlet/src/main/webapp/WEB-INF/portlet.xml
and add the following user attributes:
Code Block | ||||
---|---|---|---|---|
| ||||
<user-attribute> <description>idpPublicKeys</description> <name>idpPublicKeys</name> </user-attribute> <user-attribute> <description>samlAssertion</description> <name>samlAssertion</name> </user-attribute> |
Optional - Modifying uPortal's Web Proxy Portlet CPD
To list Shibboleth as an authentication option in uPortal's administrative interface, add "SHIBBOLETH" as an option for the "PORTLET.edu.wisc.my.webproxy.webproxy.httpclient.sAuthType
" parameter in uPortal's Web Proxy Portlet CPD. This file is located within uPortal at
In uportal-war/src/main/resources/edu/wisc/my/portlets/WebProxy/WebProxyPortlet.cpd
. add <value>SHIBBOLETH</value>
Code Block | ||||
---|---|---|---|---|
| ||||
<parameter modify="publish"> <name>PORTLET.edu.wisc.my.webproxy.webproxy.httpclient.sAuthType</name> <label>Type of authentication (optional)</label> <type base="string" input="single-choice" display="drop-down"> <restriction type="enumeration"> <value></value> <value>SHIBBOLETH</value> <value>FORM</value> <value>BASIC</value> <value>NTLM</value> </restriction> </type> <defaultValue></defaultValue> <description>Select the type of authentication the web-based application requires.</description> </parameter> |